The problem with our cybersecurity problem

The problem is not that there are problems. The problem is expecting otherwise and thinking that having problems is a problem.

Theodore Isaac Rubin, American psychiatrist

We’ve got a cybersecurity problem, but it’s not the one we think we have. The problem is in how we think about cybersecurity problems. Too many of us are stuck in a reactive loop, looking for silver bullet solutions, when we need to change how we view cybersecurity problems instead. 

For CISOs at companies worldwide, across every industry, the struggle is real. There’s an incident, and the organization reacts. Too often, the response will be to buy a new software product that is eventually destined to fail, starting the reactive cycle all over again.

The trouble with this approach is that it forecloses the opportunity to be proactive instead of reactive, and given the rising stakes, we genuinely need a holistic approach. In the U.S., the average cost of a data breach now exceeds $4 million, and that may not include downstream costs, such as higher cyber insurance rates and the revenue hit the company may experience due to reputational damage. 

We need a new approach, and lessons from a generation ago can point us in the right direction. Back then, cybersecurity professionals created disaster recovery and business continuity plans, calculating downtime and its disruptive effects to justify investment in a holistic approach. We can do that again, but it will require less focus on tools and more clarity of purpose.

Clear as mud: Marketplace complexity and diverse cybersecurity needs

One barrier to clarity is the growing volume and sophistication of threats and the corresponding proliferation of tools to counter those threats. Fast cybersecurity solution growth was already a trend before the pandemic, but work-from-home protocols significantly expanded the attack surface, prompting a renewed focus on security and even more new solution market entrants.  

The availability of new tools isn’t the issue — many of the cybersecurity solutions on the market today are excellent and sorely needed. But expansion of an already crowded marketplace, along with proliferating threats and evolving attack surfaces, makes it even more challenging for CISOs to know which path to choose. 

Further complicating matters is the fact that each organization has unique cybersecurity needs. They have different assets to protect, and the ideal schema varies considerably across organizations according to size, infrastructure (cloud vs. on-premise, etc.), workforce distribution, region and other factors. Gaining clarity requires a shift in mindset. 

Gain clarity by focusing on outcomes instead of tools

CISOs who are stuck in a reactive loop can start to break free of that pattern by focusing on outcomes instead of tools. The quote from Theodore Isaac Rubin at the top of this article is instructive here; the problem can’t be solved by replacing a failed tool, though depending on the circumstances, that may be necessary. 

The problem is the attitude about the larger problem, i.e., the delusion that we can solve our cybersecurity woes by finding the right product. The problem is being surprised when that doesn’t work, repeatedly.

Instead, it’s time to focus on the desired outcome — one that is unique to each organization depending on its threat landscape — and seek solutions across people, processes and technologies to reach that desired state. It can’t be all about software and platforms. If the pandemic years have taught us anything, it’s that people and processes have to be part of the solution too.

The business case for a new approach

A focus on outcomes and a plan that encompasses people, processes and technologies is a modern strategy that borrows a page from the disaster recovery and business continuity plans of the past in that it is comprehensive. It accounts for the revenue hit associated with cybersecurity exposure and justifies investment in a new approach to avoid those costs — that’s part of the business case.  

Another argument in favor of change is that it’s needed to address the speed at which threat vectors grow and asset protection must evolve today. At too many companies, the current cybersecurity posture is analogous to the way operating systems used to be periodically updated vs. the live updates we rely on now. Everything moves faster now, so waiting for a new release isn’t acceptable. 

A new approach will require broader input to formulate an adequate response because threats are more distributed than ever. CISOs need internal input from employees and business unit executives. They need information from the FBI and cybersecurity thought leaders. Many will require a partnership to guide the organization through this journey and enable the company to focus on its core business. 

Finding the right cybersecurity solution

Identifying the appropriate cybersecurity solution starts with defining critical business assets and a desired outcome. For CISOs who decide to partner with an expert to help them succeed on this journey, it’s a good idea to find a team that isn’t trying to sell a particular tool. It’s also important to consult experts who understand that solving the cybersecurity problem will involve people, processes and technologies.  

People are always going to be the front line of defense, so building a security-minded culture and matching processes will be critical. A partner who understands the crucial role people play is therefore essential. It’s also advisable to demand proof points from potential partners, such as access to a customer who has worked with the team through a breach.  

Our cybersecurity problem isn’t what we think it is. The real problem is a failure to accept that there are no magic bullets and that only a holistic approach that addresses the true scale of the threat — and all facets of the attack surface — is equal to the challenge. CISOs who accept this can break free of the reactive loop and proactively reduce organizational risk. 

Peter Trinh is an SME in cybersecurity at TBI Inc. 

Source